certinspect · PyPI

Skip to main content<br>Switch to mobile version

Warning

You are using an unsupported browser, upgrade to a newer version.

Warning

Some features may not work without JavaScript. Please try enabling it if you encounter problems.

Search PyPI

Search

certinspect 0.5.0

pip install certinspect

Copy PIP instructions

Latest release

Released:<br>Jun 26, 2026

Command-line TLS certificate inspector

Navigation

Verified details

These details have been verified by PyPI<br>Project links

Homepage

Issues

Repository

GitHub Statistics

Repository

Stars:

Forks:

Open issues:

Open PRs:

Maintainers

mangrisano

Unverified details

These details have not been verified by PyPI

Meta

License Expression: MIT

SPDX<br>License Expression

Author: Michele Angrisano

Tags

tls

ssl

certificate

x509

cli

Requires: Python >=3.10

Provides-Extra:<br>dev

Classifiers

Environment

Console

Programming Language

Python :: 3

Topic

Security :: Cryptography

Report project as malware

Project description

certinspect

Command-line TLS certificate inspector.

Given one or more domains (or a .pem/.der file), it reports:

Validity and days to expiry

Total validity period

Subject and issuer

Subject Alternative Names (SAN)

Signature algorithm and key size

SHA-256 fingerprint

CA flag and self-signed flag

Key usage and extended key usage

Weak-crypto warnings

Negotiated TLS version and cipher

Hostname match against the certificate

Requirements

Python >= 3.10

Installation

pip install certinspect

From source (development)

python3 -m venv .venv<br>source .venv/bin/activate<br>pip install -e ".[dev]"

Usage

# Inspect a host<br>certinspect example.com

# A full URL or host:port works too (scheme and path are ignored)<br>certinspect https://example.com/login<br>certinspect example.com:8443

# Multiple hosts at once (batch mode)<br>certinspect example.com github.com api.example.com

# Custom port<br>certinspect example.com --port 8443

# Custom connection timeout in seconds (default: 5)<br>certinspect example.com --timeout 10

# JSON output (always a list of objects)<br>certinspect example.com --json

# Inspect a local certificate<br>certinspect --file ./certificate.pem

# Custom expiry warning threshold (default: 30 days)<br>certinspect example.com --days 14

# Only print certificates that have a problem<br>certinspect example.com github.com --quiet

# Verify the certificate chain against the system trust store<br>certinspect example.com --verify

# Show the certificate chain presented by the server<br>certinspect example.com --chain

# Fail (exit 7) unless the fingerprint matches the expected pin<br>certinspect example.com --pin AA:BB:CC:...

# Read targets from a file (or '-' for stdin)<br>certinspect --input hosts.txt<br>cat hosts.txt | certinspect --input -

# Save the fetched certificate as PEM<br>certinspect example.com --export ./fetched.pem

# Monitoring output: a Nagios/Icinga plugin line per target<br># (exit code follows the plugin convention: 0=OK, 1=WARNING, 2=CRITICAL)<br>certinspect example.com --exporter nagios

# Monitoring output: Prometheus textfile-collector metrics<br>certinspect example.com github.com --exporter prometheus

# Print the version<br>certinspect --version

Example

$ certinspect pypi.org --verify<br>=== pypi.org ===<br>Subject: CN=pypi.org<br>Status: VALID

Issuer: CN=GlobalSign Atlas R3 DV TLS CA 2025 Q4,O=GlobalSign nv-sa,C=BE<br>Valid from: 2025-12-28 04:33:08+00:00<br>Valid until: 2027-01-29 04:33:07+00:00<br>Days to expiry: 217<br>Total validity: 396 days

Serial number: 1587345912129534630556007389588586994<br>Signature: sha256WithRSAEncryption<br>Key size: 2048 bit<br>Fingerprint: 15:58:1C:41:02:3F:07:89:85:31:4E:7D:4C:4F:8A:CA:BF:05:C7:F6:...<br>CA: False<br>Self-Signed: False<br>TLS version: TLSv1.3<br>Cipher: TLS_AES_128_GCM_SHA256<br>Key usage: digital_signature, key_encipherment<br>Ext. key usage: serverAuth, clientAuth<br>Hostname match: True<br>Chain trusted: True<br>Revocation: GOOD

SAN:<br>- pypi.org<br>- *.pypi.org<br>- www.pypi.org<br>- donate.pypi.org

With --verify, certinspect opens a fully verified TLS handshake (chain +<br>hostname against the Python/OpenSSL trust store) and, when the certificate<br>advertises an OCSP responder, queries it for the revocation status. OCSP is<br>soft-fail: an unreachable responder reports UNAVAILABLE and does not change<br>the exit code, while a REVOKED status fails with exit code 6. Revocation is<br>not checked via CRLs.

Options

Option<br>Description

target...<br>One or more domains, URLs or host:port to inspect. Omit when using --file.

--file PATH<br>Inspect a local certificate (PEM or DER) instead of a host.

--port N<br>TCP port to connect to (default: 443).

--timeout N<br>Connection timeout in seconds (default: 5).

--json<br>Print the result as JSON instead of human-readable text.

--quiet<br>Only print certificates that have a problem.

--verify<br>Verify the chain + OCSP revocation, system trust store (hosts only).

--chain<br>Show the certificate chain presented by the server.

--pin SHA256<br>Fail (exit 7) unless the SHA-256 fingerprint matches (colons/case ignored).

--input...